Werk #14544: Agent controller: Use host certificate store during registration
|Title||Agent controller: Use host certificate store during registration|
|Date||Jul 21, 2022|
|Checkmk Edition||Checkmk Raw (CRE)|
|Checkmk Version||2.2.0i1 2.1.0p9|
|Compatibility||Compatible - no manual interaction needed|
In order to register at a Checkmk site, the agent controller (cmk-agent-ctl) needs to know, among others, the name of the server where the site is running and a port. The port can either be included in the server name argument (-s), or it can be left out. In case it is left out, the agent controller tries to query the port from the REST API of the target site.
In case the communication with the REST API is HTTPS-secured, the agent controller is supposed to use the certificate store of the host to verify the server certificate. This was however not the case, which in particular affected setups with server certificates signed by a custom CA (where the corresponding root certificate was correctly added to the certificate store of the host). The resulting error message read:
$ cmk-agent-ctl register ... ... Failed to discover agent receiver port from Checkmk REST API, both with http and https. ... Error with https: ... invalid peer certificate contents: invalid peer certificate: UnknownIssuer
Note that, as mentioned above, this only happened if no explicit port was given during the agent registration.